Domain Bypass

Domain bypass allows specified domains to be routed outside the encrypted VPN tunnel, directly through the regular internet connection. This can be beneficial in scenarios where certain traffic doesn't need to or shouldn't be sent through the VPN for performance, compatibility, or security reasons.

When domain bypass is configured, the VPN client checks each outgoing network request against a list of excluded domains. If the target domain matches an entry in the bypass list, the request is routed through the device's regular network interface and internet connection. If there's no match, the request is sent through the encrypted VPN tunnel as normal.

How it works

Domain can be assigned to more than one DNS record and there is no way to take all addresses even for one domain name. For example, google uses a lot of CDN servers and when you open google.com with and without VPN traffic will go to different servers.

All requests to unknown resources start with domain resolving and SDK handles those DNS responses and if domain is in bypass list then SDK creates routes for addresses immediately.

SDK doesn't store any data about visited sites by user.

Domain bypass will not work if user uses any DNS protection methods like DNS-over-TLS. There is no way to resolve all IP addresses even for one domain.

Additional info about common issues can be found on the page Common issues.

Updating Bypass Domain

To update the bypass domain list programmatically, you can utilize the following:

Using "ConfigureFirewallAsync" will create the necessary bypass rules only after the VPN tunnel is up. If you want to explicitly apply domain bypass immediately after sending to the SDK - use "ConfigureBypassDomains/ConfigureBypassDomainsAsync".

var sdk = new SDK();
var request = new FirewallRequest
{
    UpdateBypassDomains = new UpdateBypassDomainsRequest
    {
        Domains = new List<string> { "domain1.com", "domain2.net", "domain3.org" }
    }
};

var result = await sdk.ConfigureFirewallAsync(request).ConfigureAwait(false);
Console.WriteLine(result.UpdateBypassDomains);
// Message: "Ok"
// Result: Ok

In this example, by setting its Domains property to a list of domain names, those domains will be routed outside the VPN tunnel whenever they are accessed.

Explicitly Updating Bypass Domain

var sdk = new SDK();
var request = new BypassDomainsRequest()
{
    UpdateBypassDomains = new UpdateBypassDomainsRequest()
    {
        Domains = new List<string> { "domain1.com", "domain2.net", "domain3.org" }
    },
};

var result = await sdk.ConfigureBypassDomainsAsync(request).ConfigureAwait(false);
Console.WriteLine(result.UpdateBypassDomains);
// Message: "Ok"
// Result: Ok    

Use Cases

There are several common scenarios where bypassing the VPN for certain domains can be advantageous:

Use Case	Description
Accessing Local Network Resources	If the VPN client is used on a device connected to a local network, accessing local network shares, printers, or intranet sites through the VPN may be unnecessary and could negatively impact performance. Bypassing the VPN for local domains keeps that traffic routing efficiently on the LAN.
Streaming Geo-Restricted Media	Some streaming platforms restrict content to certain geographic regions based on the user's IP address. When connected to a VPN, this can prevent the user from accessing media available in their actual physical location. Configuring a bypass for domains like netflix.com allows the user to stream content as if they weren't using a VPN.
Reducing VPN Server Load	If an organization has a large number of devices connected to a VPN but only actually needs to secure a subset of their traffic, using domain bypass for non-sensitive domains can significantly reduce the bandwidth and processing burden on the VPN server infrastructure.
Improving Traffic Visibility	In some cases, organizations may want certain traffic bypassing the VPN specifically so they can monitor and filter it using other network security tools that aren't VPN-aware. This allows them to enforce web content policies, detect malware, and log activity even for traffic that doesn't need VPN encryption.